Changeset 3897

Timestamp:

15/05/08 09:58:48 (11 years ago)

Author:

pjkersha

Message:

Working version with independent Policy Enforcement Point (Gatekeeper) + Polciy Decision Point for Pylons Browse code stack

python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py: extra help info in message for login error

python/ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py: mod to SignatureHandler? init due to change in WSSecurityConfig interface

python/Tests/authtest/authtest/controllers/test2.py,
python/Tests/authtest/authtest/lib/template.py: missed out on last check in

python/ndg.security.common/ndg/security/common/authz/pdp/proftp.py: udpate to init following change to PDPInterface class for browse code

python/ndg.security.common/ndg/security/common/authz/pdp/init.py: PDPInterface takes cfg keyword which can be file path or a ConfigParser? object

python/ndg.security.common/ndg/security/common/authz/pdp/browse.py:

• fixes to XPath queries.
• BrowsePDP now does some more of the work done previously by ows_server.models.ndgInterface.GateKeep and queries directly for role and AA values direct from the doc root
• made fix to WS-Security settings - may be picked up from the same config file as the PDP settings

python/ndg.security.common/ndg/security/common/authz/pep.py,
python/ndg.security.common/ndg/security/common/wsSecurity.py: allow generic cfg keyword for file path / config obj input

Location:

TI12-security/trunk/python

Files:

• Tests/authtest/authtest/controllers/test2.py (modified) (1 diff)
• Tests/authtest/authtest/lib/template.py (added)
• ndg.security.common/ndg/security/common/authz/pdp/__init__.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/authz/pdp/browse.py (modified) (13 diffs)
• ndg.security.common/ndg/security/common/authz/pdp/proftp.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/authz/pep.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/wsSecurity.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/login.py (modified) (1 diff)
• ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py (modified) (1 diff)

TI12-security/trunk/python/Tests/authtest/authtest/controllers/test2.py

@@ -11 +11 @@
         #   return render('/some/template.mako')
         # or, Return a response
-        return 'Hello World'
+        return render('signin')

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/__init__.py

@@ -56 +56 @@
     
     def __init__(self, 
-                 cfgFilePath=None, 
                  cfg=None, 
                  cfgSection='DEFAULT',
@@ -62 +61 @@
         """PDPInterface(cfgFilePath|cfg|**cfgKw)
         
-        @type cfgFilePath: string
-        @param cfgFilePath: file path to configuration file
-        @type cfg: ConfigParser object to retrieve parameters from as an 
-        alternative to cfgFilePath input
+        @type cfg: string / ConfigParser
+        @param cfg: 
+        @type cfg: file path to configuration file or ConfigParser object to 
+        retrieve parameters from 
         @type cfgSection: string
         @param cfgSection: sets the section name to retrieve config params 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/browse.py

@@ -76 +76 @@
     molesXMLNS = 'http://ndg.nerc.ac.uk/moles'
     csmlXMLNS = 'http://ndg.nerc.ac.uk/csml'
+    
+    roleElemName = 'attrauthRole'
+    aaElemName = 'dgAttributeAuthority'
+    
+    molesSimpleConditionPth = \
+        '%sdgMetadataSecurity/%sdgSecurityCondition/%ssimpleCondition'
+    
+    # MOLES B0 query
+    b0SimpleConditionXPth = molesSimpleConditionPth % (('{'+molesXMLNS+'}',)*3)
 
     # MOLES B1 is dynamically generated from B0 and has no schema    
-    b1dgSecurityConditionXPth = 'dgMetadataSecurity/dgSecurityCondition'
-    
-    # Add schemae prefixes for B0 query
-    b0dgSecurityConditionXPth = '{%s}%s'%(molesXMLNS,b1dgSecurityConditionXPth)
-    
-    csmlDGSecurityConditionXPth = \
-        '{%s}AccessControlPolicy/{%s}dgSecurityCondition' % ((csmlXMLNS, )*2)
-
-    molesXPathQueryPfx = \
-'{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}'
-    roleXPathQuery = molesXPathQueryPfx + 'attrauthRole'
-    roleXPathQuery = molesXPathQueryPfx + 'dgAttributeAuthority'
+    b1SimpleConditionXPth = molesSimpleConditionPth % (('', )*3)
+    
+    # CSML Query
+    a0SimpleConditionXPth = \
+        '{%s}AccessControlPolicy/{%s}dgSecurityCondition/{%s}simpleCondition'%\
+        ((csmlXMLNS, )*2 + (molesXMLNS,))
 
     defParam = {'aaURI': '',
@@ -95 +98 @@
                 'tracefile': '',
                 'acCACertFilePathList': [], 
-                'acIssuer': ''}
+                'acIssuer': '',
+                'wssCfgFilePath': None,
+                'wssCfgSection': 'DEFAULT'}
             
     
@@ -118 +123 @@
         
         self.resrcURI = None
-        self.securityElement = None
-        self.userHandle = None
+        self.resrcDoc = None
+        self.smURI = None
+        self.userSessID = None
         
         # Set from config file
         if isinstance(cfg, basestring):
-            self._readConfig(cfgFilePath)
+            self._readConfig(cfg)
         else:
             self._cfg = cfg
@@ -143 +149 @@
 
         
-    def _getSecurityElem(self):
-        '''Query the input document for a security constraint element.        
-        The query type is dependent on the schema of the document'''
+    def _getSecurityConstraints(self):
+        '''Query the input document for a security role and Attribute Authority
+        URI constraints.  The query structure is dependent on the schema of the
+        document
+        
+        @rtype: tuple
+        @return: required role and the URI for the Attribute Authority to 
+        query.  If role is None, no security is set'''
         
         if self.resrcURI.schema == 'DIF':
             log.info('BrowsePDP: DIF record found - no security applied')
-            return None # no access control
+            return None, None # no access control
         
         elif self.resrcURI.schema == 'NDG-B0':
             log.info(\
             'BrowsePDP: Checking for constraints for MOLES B0 document ...')
-            return self.resrcDoc.tree.find(BrowsePDP.b1dgSecurityConditionXPth)
+
+            roleXPth = '%s/{%s}%s' % (BrowsePDP.b0SimpleConditionXPth, 
+                                      BrowsePDP.molesXMLNS, 
+                                      BrowsePDP.roleElemName)
+            
+            aaXPth = '%s/{%s}%s' % (BrowsePDP.b0SimpleConditionXPth, 
+                                    BrowsePDP.molesXMLNS, 
+                                    BrowsePDP.aaElemName)
         
         elif self.resrcURI.schema == 'NDG-B1':
@@ -160 +178 @@
             log.info(\
             'BrowsePDP: Checking for constraints for MOLES B1 document ...')
-            return self.resrcDoc.tree.find(BrowsePDP.b1dgSecurityConditionXPth)
-         
+
+            roleXPth = '%s/%s' % (BrowsePDP.b1SimpleConditionXPth,
+                                  BrowsePDP.roleElemName)
+            
+            aaXPth = '%s/%s' % (BrowsePDP.b1SimpleConditionXPth,
+                                BrowsePDP.aaElemName)
+        
         elif self.resrcURI.schema == 'NDG-A0':
             log.info(\
-            'BrowsePDP: Checking for constraints for CSML document ...')
-            return \
-                self.resrcDoc.tree.find(BrowsePDP.csmlDGSecurityConditionXPth)
+                'BrowsePDP: Checking for constraints for CSML document ...')
+        
+            roleXPth = '%s/{%s}%s' % (BrowsePDP.a0SimpleConditionXPth, 
+                                      BrowsePDP.molesXMLNS, 
+                                      BrowsePDP.roleElemName)
+            
+            aaXPth = '%s/{%s}%s' % (BrowsePDP.a0SimpleConditionXPth, 
+                                    BrowsePDP.molesXMLNS, 
+                                    BrowsePDP.aaElemName)            
         else:
-            log.error('BrowsePDP._getSecurityElem: unknown schema type "%s"'%\
+            log.error('BrowsePDP: unknown schema type "%s"' % \
                       self.resrcURI.schema)
             raise PDPUnknownResourceType()
 
+        # Execute queries for role and Attribute Authority elements and extract
+        # the text.  Default to None if not found
+        roleElem = self.resrcDoc.tree.find(roleXPth)        
+        if roleElem is not None:
+            role = roleElem.text
+        else:
+            role = None
+            
+        aaURIElem = self.resrcDoc.tree.find(aaXPth)
+        if aaURIElem is not None:
+            aaURI = aaURIElem.text
+        else:
+            aaURI = None
+
+        return role, aaURI
+
   
-    def _readConfig(self):
+    def _readConfig(self, cfgFilePath):
         '''Read PDP configuration file'''
-        self._cfg.read(self.cfgFilePath)
+        self._cfg.read(cfgFilePath)
 
 
     def _parseConfig(self, section='DEFAULT'):
         '''Extract parameters from _cfg config object'''
+        log.debug("BrowsePDP._parseConfig ...")
+        
         # Copy directly into attribute of this object
         for paramName, paramVal in BrowsePDP.defParam.items():
+            if not self._cfg.has_option(section, paramName): 
+                # Set default if parameter is missing
+                log.debug("Setting default %s = %s" % (paramName, paramVal))
+                setattr(self, paramName, paramVal)
+                continue
+             
             if isinstance(paramVal, list):
                 listVal = expVars(self._cfg.get(section, paramName)).split()
@@ -217 +270 @@
         <moles:effect>allow</moles:effect>
             <moles:simpleCondition>
-            <moles:dgAttributeAuthority>https://glue.badc.rl.ac.uk/AttributeAuthority</moles:dgAttributeAuthority>
+            <moles:dgAttributeAuthority>http://dev.badc.rl.ac.uk/AttributeAuthority</moles:dgAttributeAuthority>
             <moles:attrauthRole>coapec</moles:attrauthRole>
         </moles:simpleCondition>
@@ -226 +279 @@
         tokens.  Resets equivalent object attribute."""
           
-        log.debug("BrowsePDP.accessPermitted ...")
-        
+        log.debug("Calling BrowsePDP.accessPermitted ...")
+        
+        if accessType is not None:
+            log.warning("BrowsePDP an accessType = [%s] " % accessType + \
+                        "was set Browse assumes all access type is based " + \
+                        "on the role attribute associated with the data")
+            
         # Resource handle contains URI and ElementTree resource security 
         # element
@@ -238 +296 @@
 
         # First query the document for a security constraint
-        self.securityElement = self._getSecurityElem()
-        if not self.securityElement:
+        role, aaURI = self._getSecurityConstraints()
+        if not role:
             # No security set
-            log.info("BrowsePDP: no security constraints found for [%s]" % \
+            log.info("BrowsePDP: no security role constraint found for [%s]" %\
                      self.resrcURI.schema + \
-                     " type document [%s]" % self.resrcURI)
+                     " type document [%s]: GRANTING ANONYMOUS ACCESS" % \
+                     self.resrcURI)
             return
-        
-        
-        # User handle contains 'h' = Session Manager URI and 'sid' user 
-        # Session ID
+                
+        # Check that the user is logged in.  - The User handle contains 
+        # 'h' = Session Manager URI and 'sid' user Session ID
         try:
             self.smURI = userHandle['h']
@@ -255 +313 @@
             log.error("User handle missing key %s" % e)
             raise PDPUserNotLoggedIn()
-
-            
-        roleElem = self.securityElement.find(BrowsePDP.roleXPathQuery)
-        if roleElem is None or not roleElem.text:
-            log.error("PDP: role not set in MOLES security " + \
-                      "constraints")
-            raise PDPMissingResourceConstraints()
-        
-        self.reqRole = roleElem.text
-
-        aaElem = self.securityElement.find(BrowsePDP.aaXPathQuery)
-        
-        # Sanity check on Attribute Authority URI
-        if aaElem and aaElem.text:
-            aaURI = aaElem.text
-            
+        
+        # Sanity check on Attribute Authority URI retrieved from the data
+        if aaURI:            
             # Check Attribute Authority address
             try:
                 BrowsePDP.urlCanBeOpened(aaURI)
+                
             except URLCannotBeOpened, e:
-                # Catch situation where either Attribute Authority address in the
-                # data invalid or none was set.  In this situation verify
-                # against the Attribute Authority set in the config
-    
-                log.warning('PDP: MOLES security constraint ' + \
+                # Catch situation where either Attribute Authority address in 
+                # the data invalid or none was set.  In this situation verify
+                # against the Attribute Authority set in the config   
+                log.warning('BrowsePDP: security constraint ' + \
                             'Attribute Authority address is invalid - ' + \
                             'defaulting to config file setting: %s; ' % \
@@ -286 +331 @@
                 aaURI = self.aaURI
         else:
-            log.warning("PDP: Attribute Authority element not " + \
+            log.warning("BrowsePDP: Attribute Authority element not " + \
                         "set in MOLES security constraints - defaulting " + \
                         "to config file setting: %s" % self.aaURI)
@@ -293 +338 @@
         # Retrieve Attirbute Certificate from user's session held by
         # Session Manager
-        attCert = self._pullUserSessionAttCert(aaURI)
+        attCert = self._pullUserSessionAttCert(aaURI, role)
         
         # Check its validity
         self._checkAttCert(attCert)
                    
-        log.info('PDP - access granted for user "%s" ' % \
+        log.info('BrowsePDP: ACCESS GRANTED for user "%s" ' % \
                  attCert.userId + \
                  'to "%s" secured with role "%s" ' % \
-                 (self.resrcURI, self.reqRole) + \
+                 (self.resrcURI, role) + \
                  'using attribute certificate:\n\n%s' % attCert)
             
         
-    def _pullUserSessionAttCert(self, aaURI):
+    def _pullUserSessionAttCert(self, aaURI, role):
         """Check to see if the Session Manager can deliver an Attribute 
         Certificate with the required role to gain access to the resource
@@ -312 +357 @@
         @type aaURI: string
         @param aaURI: address of Attribute Authority that the Session Manager
-        will call in order to request an AC on behalf of the user"""
+        will call in order to request an AC on behalf of the user
+        
+        @type role: string
+        @param role: role controlling access to the secured resource"""
         
         try:
-            # Create Session Manager client
+            # Create Session Manager client - if a file path was set, setting
+            # are read from a separate config file section otherwise, from the
+            # PDP config object
             self.smClnt = SessionMgrClient(uri=self.smURI,
-                            cfgFilePath=self.cfgFilePath,
-                            cfgFileSection='WS-Security',
-                            sslCACertFilePathList=self.sslCACertFilePathList,
-                            tracefile=self.tracefile,
-                            **self.wssCfg) 
+                                    cfg=self.wssCfgFilePath or self._cfg,
+                                    cfgFileSection=self.wssCfgSection,
+                                    **self.wssCfg)
         except Exception, e:
-            log.error("PDP: creating Session Manager client: %s"%e)
+            log.error("BrowsePDP: creating Session Manager client: %s" % e)
             raise InitSessionCtxError()
         
@@ -331 +379 @@
             attCert = self.smClnt.getAttCert(attAuthorityURI=aaURI,
                                              sessID=self.userSessID,
-                                             reqRole=self.reqRole)
+                                             reqRole=role)
             return attCert
         

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/proftp.py

@@ -76 +76 @@
                 'acIssuer': ''}
        
-    def __init__(self, cfgFilePath=None, **cfgKw):
+    def __init__(self, cfg=None, **cfgKw):
         """Initialise settings for WS-Security and SSL for SOAP
         call to Session Manager
@@ -87 +87 @@
         """
         
-        self.cfgFilePath = cfgFilePath
+        self.cfgFilePath = cfg
         self.resrcURI = None
         self.securityElement = None

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pep.py

@@ -76 +76 @@
         if isinstance(cfg, basestring):
             log.debug('Setting PEP config from file: "%s" ...' % cfg)
-            self.readConfig(cfgFilePath)
+            self.readConfig(cfg)
         else:
             log.debug('Setting PEP config from existing config object ...')

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

@@ -162 +162 @@
 
     #_________________________________________________________________________
-    def __init__(self, cfgFilePath=None, cfgFileSection='DEFAULT',
+    def __init__(self, cfg=None, cfgFileSection='DEFAULT',
                  cfgClass=WSSecurityConfig, **kw):
         '''
@@ -249 +249 @@
             raise TypeError("%s is not a sub-class of WSSecurityConfig" % \
                             cfgClass)
-        self.cfg = cfgClass()
         
         # Read parameters from config file if set
-        if cfgFilePath:
+        if isinstance(cfg, basestring):
+            log.debug("SignatureHandler.__init__: config file path input ...")
+            self.cfg = cfgClass()
+            self.cfg.read(cfg)
+        else:
+            log.debug("SignatureHandler.__init__: config object input ...")
+            self.cfg = cfgClass(cfg=cfg)
+            
+        if cfg: # config object or config file path was set
             log.debug("SignatureHandler.__init__: Processing config file...")
-            self.cfg.read(cfgFilePath)
             self.cfg.parse(section=cfgFileSection)
-        
+
         # Also update config from keywords set 
         log.debug("SignatureHandler.__init__: setting config from keywords...")

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -104 +104 @@
         except Exception, e:
             c.xml = "Error logging in.  Please check your username/" + \
-                    "pass-phrase and try again."
+                    "pass-phrase and try again.  If the problem persists " + \
+                    "please contact your site administrator."
             log.error("Session Manager connect returned: %s" % e)
             response.status_code = 401

TI12-security/trunk/python/ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py

@@ -99 +99 @@
     # Create the Inherited version of the server
     echo = EchoService()
-    echo.signatureHandler = wsSecurity.SignatureHandler(\
-                                                cfgFilePath=wsseCfgFilePath)
+    echo.signatureHandler = wsSecurity.SignatureHandler(cfg=wsseCfgFilePath)
 
     serviceContainer.setNode(echo, url=path)